Two factor authentication is about improving consumer trust of the web so
that projected economic growth of the medium can get back on track. If this
is the objective that it sets out to achieve then it looks like it will be
successful. It will be the next 'SSL' - the thing that makes the web secure!
If that is where the buy-in comes from - so be it. Our job is to make the
most of the opportunity and try to protect the end user from being sucked in
by the 'silver bullet' hype.
This incident a timely reminder that you can't throw tech at every problem.
In many ways it is the tech that helped this scam to succeed - If they had
followed all the rules and adapted a security approach that was clear,
consistent and easy to understand, many people probably wouldn't have fallen
victim to this scam.
Consumers are starting to understand through our efforts in raising
awareness that they need to look at the domain name. This attack - with it's
Russian domain address - was no different except that the users were under a
false sense of security from their high tech two factor authentication
solution!
Point of distribution for tokens is an ideal opportunity to deliver honest,
straight security advise to end users. I hope that it doesn't get wasted.
--------------------------------------------------------------------------------
From: Nick Owen [mailto:nowen at wikidsystems.com]
Sent: Tue 11/07/2006 00:43
To: 'Jeremiah Grossman'; 'Web Security'
Subject: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
>-----Original Message-----
>From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>Sent: Monday, July 10, 2006 5:13 PM
>To: Web Security
>Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth
>>Brian Krebs (washingtonpost.com) has a good write up about a
>recent phishing attack specifically designed circumvent
>two-factor authentication. The technique used a fake web page
>acting as a man-in- the-middle between the user and the real
>website. A simple hack proving a good point. How can a user
>defend themselves with any kind of solution if they can't
>tell whether or not a website is real?
>>Citibank Phish Spoofs 2-Factor Authentication
>http://blog.washingtonpost.com/securityfix/2006/07/>citibank_phish_spoofs_2factor_1.html
>>"Security experts have long touted the need for financial Web
>sites to move beyond mere passwords and implement so-called
>"two-factor authentication" -- the second factor being
>something the user has in their physical possession like an
>access card -- as the answer to protecting customers from
>phishing attacks that use phony e-mails and bogus Web sites
>to trick users into forking over their personal and financial data."
I think the 2FA for financial sites "debate" has suffered from a lack of
definition of the tasks at hand and that thinking in terms of session,
host/mutual and transaction authentication can provide a more useful
framework for solving problems such as MITM, session hijackers, etc.
Unfortunately, there is no easy answer or magic bullet (as usual), but
clearly there are ways to reduce fraud to acceptable/insurable levels.
My .02,
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
Open source: http://sourceforge.net/projects/wikid-twofactor/
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]